2026-04-03
GDPR Article 46 and Third-Country Data Transfers: What You Actually Need to Do
EUR 2 billion in fines so far. If you transfer personal data outside the EEA, here is what GDPR Article 46 requires and how the rules have changed since Schrems II.
Every company that uses US-based cloud services transfers personal data outside the European Economic Area. That makes GDPR Article 46 one of the most consequential parts of the regulation for day-to-day business operations. Regulators have issued over EUR 2 billion in fines specifically for transfer violations since 2023. Meta alone paid EUR 1.2 billion. This is not a theoretical risk.
What Article 46 actually says
Article 46 governs transfers of personal data to countries that don't have an EU adequacy decision (meaning the European Commission hasn't declared that country's data protection is good enough). It lists the legal tools you can use to make such transfers lawful:
Without needing supervisory authority approval:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- Binding Corporate Rules (BCRs) for intra-group transfers
- Approved codes of conduct with binding commitments from the data importer
- Approved certification mechanisms with binding commitments
With supervisory authority approval:
- Custom contractual clauses negotiated between the parties
- Administrative arrangements between public authorities
The requirement that runs through all of them: enforceable data subject rights and effective legal remedies must be available in the destination country.
The Schrems rulings: why the rules keep changing
Two court cases drove by Austrian privacy advocate Max Schrems reshaped how these transfers work in practice.
Schrems I (October 2015) invalidated the EU-US Safe Harbor framework. The Court of Justice found that US surveillance programs (revealed by Snowden in 2013) meant the Safe Harbor's self-certification scheme couldn't ensure protection equivalent to EU law.
Schrems II (July 2020) invalidated the replacement, the EU-US Privacy Shield. The Court found that US intelligence collection under FISA Section 702 and Executive Order 12333 still exceeded what's proportionate under EU standards. The Ombudsperson mechanism that Privacy Shield created lacked independence and binding authority.
The Court did not invalidate Standard Contractual Clauses, but added a critical condition: before using SCCs, the data exporter must assess case-by-case whether the destination country's laws allow the importer to actually comply with the clauses. If they can't, supplementary measures are required. If no supplementary measures can bridge the gap, the transfer must stop.
The current situation: the EU-US Data Privacy Framework
The third attempt at a stable US transfer mechanism, the EU-US Data Privacy Framework (DPF), received its adequacy decision on July 10, 2023. On the US side, it rests on Executive Order 14086 (October 2022), which introduced proportionality limits on signals intelligence and created a Data Protection Review Court (DPRC) as a redress mechanism for EU citizens.
Over 2,800 organizations hold active DPF certifications. The European Commission's first periodic review (October 2024) concluded that US authorities had implemented the necessary structures.
But the DPF sits on shaky ground:
The PCLOB problem. On January 27, 2025, three members of the Privacy and Civil Liberties Oversight Board were fired, leaving the board below its three-member quorum. The PCLOB oversees whether US intelligence agencies comply with the DPF's privacy commitments. A DC district court ruled the firings unlawful in May 2025 and ordered reinstatement, but the government appealed. As of April 2026, the board's oversight function remains impaired.
Legal challenges. French MP Philippe Latombe (also a CNIL member) filed a challenge to the DPF in September 2023. The General Court dismissed it in September 2025, but Latombe appealed to the CJEU in October 2025. That appeal is pending. NOYB (Schrems' organization) has signaled it intends to file a broader challenge.
The executive order risk. The DPF's US legal basis is an executive order, not a statute. Any future president can revoke it unilaterally, which would immediately undermine the adequacy decision.
Standard Contractual Clauses: the workhorse transfer tool
The European Commission adopted the current SCCs on June 4, 2021. All contracts must use this version (the deadline for migrating old SCCs was December 27, 2022).
The SCCs come in four modules for international transfers:
- Module 1: Controller to Controller
- Module 2: Controller to Processor
- Module 3: Processor to Processor
- Module 4: Processor to Controller
The clause text cannot be altered. You sign them as-is. But here's what many companies miss: Clause 14 of the SCCs requires you to conduct a Transfer Impact Assessment (TIA) before the transfer begins. The SCCs are not a sign-and-forget document.
Transfer Impact Assessments: the step most companies skip
A TIA is a documented evaluation of whether the destination country's legal framework allows the data importer to honor its contractual commitments under the SCCs. The CNIL published its final practical TIA guide on January 31, 2025, structured around six steps.
What you need to assess:
- The surveillance and government access laws in the destination country
- Whether those laws override the protections in your SCCs
- What supplementary measures (technical, organizational, contractual) can close the gap
- Whether the supplementary measures actually work
If the answer to step 4 is "no," you cannot make the transfer. Full stop.
Most companies that sign SCCs with US cloud providers never complete a TIA. That's exactly how Meta ended up with a EUR 1.2 billion fine. The Irish DPC found that Meta relied on SCCs for US transfers but failed to implement adequate supplementary measures given what Schrems II established about US surveillance law.
Supplementary measures: what the EDPB recommends
The EDPB's Recommendations 01/2020 (finalized June 18, 2021) lay out three categories:
Technical measures are the most effective. Encrypt data with keys held exclusively by the exporter (or an entity in an adequate country), so the importer can't decrypt it even under a government order. Pseudonymize data where only the exporter holds the re-identification keys. Use split processing so no single entity sees the full dataset.
Organizational measures include internal data transfer governance policies, minimizing the categories and volume of data transferred, and staff training.
Contractual measures require the importer to be transparent about government access requests, challenge disproportionate requests, and notify the exporter promptly.
The EDPB was explicit: for some countries, no combination of supplementary measures may be sufficient. If that's your conclusion, the transfer cannot proceed.
The enforcement track record
Regulators are not bluffing. The fines for transfer violations are among the largest ever issued under the GDPR:
| Date | Company | Fine | Issue |
|---|---|---|---|
| May 2023 | Meta | EUR 1.2 billion | US transfers via SCCs without adequate supplementary measures |
| July 2024 | Uber | EUR 290 million | EU driver data (location, IDs, criminal/medical records) transferred to US for 27 months without safeguards |
| May 2025 | TikTok | EUR 530 million | EEA user data transferred to China without verifying SCC effectiveness; also stored data on Chinese servers while claiming otherwise |
The Meta fine came after a binding EDPB decision in April 2023. The TikTok fine included EUR 485 million for the Article 46(1) violation alone, plus EUR 45 million for a transparency failure under Article 13.
The CLOUD Act conflict
US law creates a direct conflict with GDPR. The CLOUD Act (2018) requires US-headquartered companies to produce data upon valid US government demand, regardless of where that data is physically stored. Your data can sit in a Frankfurt data center, and a US court order can still compel the US-owned operator to hand it over.
GDPR Article 48 says transfers based on third-country court orders are unlawful unless an international agreement authorizes them. No such agreement exists between the EU and US for this purpose. Companies caught between these two regimes face a legal conflict with no clean resolution.
This matters because roughly 97% of Europe's cloud infrastructure market is controlled by non-European providers, primarily AWS, Google Cloud, and Microsoft Azure.
What European companies should do now
If you rely on the DPF: Don't treat it as permanent. The adequacy decision could be invalidated by a future CJEU ruling, an executive order revocation, or a negative periodic review. Have a fallback plan.
If you use SCCs: Complete your TIA. Document it. Implement supplementary measures. The TIA is not optional, it's built into Clause 14 of the SCCs themselves. The CNIL's January 2025 guide provides a practical framework.
Consider European alternatives. If you can process personal data entirely within the EEA using European-headquartered providers, Article 46 doesn't apply. There is no TIA to complete, no supplementary measures to implement, no risk of a Schrems III wiping out your legal basis. The transfer problem disappears. That's the structural argument for choosing European SaaS and cloud providers, beyond any single regulatory deadline.
Map your data flows. Step 1 of the EDPB's six-step roadmap is knowing where your data goes. Many companies discover during this exercise that personal data reaches third countries through subprocessors they didn't know about.
Re-evaluate periodically. The legal situation changes. The DPF's stability depends on US political decisions. New CJEU rulings can shift the requirements overnight. A TIA done in 2023 may not reflect reality in 2026.
The full text of GDPR Article 46 is at gdpr-info.eu/art-46-gdpr. The EDPB's supplementary measures recommendations are at edpb.europa.eu. The CNIL's TIA guide is at cnil.fr.